The JumpCloud AD Bridge mirrors users and their groups to JumpCloud based on the contents of two Security Groups that you'll add to your Active Directory controller (these must go in the standard Users OU):
- - users or groups within this group will be mirrored to JumpCloud. In JumpCloud the users will show as having come from Active Directory. Groups are reflected as Tags in JumpCloud. Any groups of which a user is a member (whether those groups are in the JumpCloud group in AD, or not) will be created as Tags in JumpCloud. You can choose to add server access to those tags or not, at your discretion.
- - any user in this group (which is also a member of the "JumpCloud" group) will be set to "System Admin/Sudo" access. This allows you to control administrator access to all resources managed by JumpCloud right from your Active Directory console. NOTE: The "JumpCloud Admins" group does not cause any users to be synchronized to JumpCloud, it only enables or disabled sudo/System Administrator access on users who are in the "JumpCloud" group.
JumpCloud mirrors the following data fields from Active Directory:
- First and Last Name
- Email address
Note: The use of the Active Directory Bridge with Google Apps or Office 365 User Provisioning is mutually exclusive. A pre-existing AD Bridge Agent can be de-activated in order to integrate with Google Apps or Office 365. The same applies in reverse.
Note: The JumpCloud agent is not supported on a domain joined system.
Changing the Email Address or User Name
If you change the email address of the user in the General tab of the User Properties window, or change the user name in the Accounts tab of the User Properties window, the AD Bridge will delete the original user account and re-add it with the new name. This will require the user to reset their password in Windows again, but they will receive the same access as the original user.
All users sync'd to JumpCloud must have an email address, and there are two locations where JumpCloud looks for email addresses:
- The first place JumpCloud looks is in the "E-mail:" field of the General tab in the User's Properties box.
- The second place it will look is at the Login name in the "Accounts" tab, where the login name@domain is the email for the user.
- Note that the email field between AD and JumpCloud must match explicitly for the user if modifications occur and it needs to be put back into alignment.
Temporarily Halting Active Directory Bridging
You can temporarily disable Active Directory bridge operation by clicking "Disable" in the Identity Sources tab for the Active Directory server you want to disable. This can be helpful when you're performing maintenance on an Active Directory server, and you don't want JumpCloud to create warnings that the server is unavailable.
Restarting the JumpCloud AD Bridge Agent
Should it ever become necessary, you can restart the JumpCloud bridge by opening the service manager (services.msc), finding "JumpCloud AD Bridge Agent", right clicking it, and selecting "Restart".
What do users experience?
- As soon as a user is added to the security group named "JumpCloud" within Active Directory it will be synchronized to JumpCloud
- Similar to when users are newly added to JumpCloud, as the user is added to the JumpCloud security group a "Welcome" email will be delivered to the email address of the identity.
- Users will be unable to access any resources controlled by JumpCloud until they reset their password on their Windows workstation or on a domain controller.
- Taking Over an Existing User Account with JumpCloud) if already managed.
If the username needs to change within AD, the AD Bridge will delete that user's account in JumpCloud, and re-create it with the new user name. This is because JumpCloud disallows username changes. That means that any users who go through a username change will need to be re-associated in any non-AD-sourced tags. It also means that if the user has added any public SSH keys to their user account within JumpCloud, those will be lost.